Hacker attacks show vulnerability of cloud computing

David Sarno and Salvador RodriguezLos Angeles Times

As hackers continue their rampage against the world's largest banks, defense contractors and technology companies, executives and government officials are confronting a sobering truth: The bad guys are winning.

The seemingly unending string of high-profile attacks, most recently against Citigroup Inc. and Sony Corp., have shown that nearly every organization is vulnerable to a growing contingent of well-trained and agile attackers who are finding security holes faster than they can be plugged.

"It's gotten very dangerous out there," said Stan Stahl, a security consultant and president of the Los Angeles chapter of the Information Systems Security Assn. "There's an epidemic of this stuff going on right now."

The increase in high-profile attacks comes as companies are looking to move more of their business operations online, including to the "cloud," in which computing tasks are outsourced to firms that maintain huge data centers around the world.

Despite the cloud's potential for cost savings and reducing the hassles of running in-house computer servers, security analysts say it may not yet be as safe as advertised — a warning that many companies are taking seriously.

Alex Bermudez, the security manager for Beachbody, a Los Angeles company that makes the popular P90X workout videos, said that although his company is beefing up security as it expands overseas, he's held off on shifting operations into the cloud.

"There are a lot of good technology companies doing the cloud well," he said, but having his company's data stored remotely, alongside data from many other firms, "is a little scary."

Concerns about the cloud dominated conversation at a UCLA conference this week on cyber security, which drew nearly 400 executives, double last year's attendance.

Eugene Schultz, chief technology officer at Emagined Security, said that hackers are spending substantial time and effort looking for ways to penetrate the cloud.

"There are some real Achilles' heels in the cloud infrastructure that are making big holes for the bad guys to get into," he said.

Because data from hundreds or thousands of companies can be stored on large cloud servers, he said, hackers can theoretically gain control of huge stores of information through a single attack — a process he called "hyperjacking."

Security professionals said the many attacks recently in the news reflect both an uptick in hacking activity and new pressure on companies to quickly disclose when they've been attacked.

When hackers broke into Sony's PlayStation network in April to steal information from about 77 million user accounts, the company came under fire from federal lawmakers for waiting days to inform customers that their personal data had been compromised.

Sony's handling of the breach triggered hearings in Washington and has spurred the Federal Trade Commission to recommend new laws that would compel companies to quickly disclose breaches to users or face penalties.

"Now people are like, 'If we don't get it out now, someone's going to do a congressional inquiry and we'll be called up and asked about it,' " said Jeff Carter, a security technologist formerly at Bank of America and now at Hoyos Group, which makes iris scanning security technology.

And as the attacks yield increasingly lucrative financial and personal data, the crowd of outlaws is growing too, many from developing nations where unemployment rates are high and programming jobs in short supply.

In much the same way that YouTube and cellphones have enabled millions to become filmmakers, and free blogging software has created legions of diarists, low-cost hacking tools have automated the hacking process for novices.

"A lot more people understand how to do this now," said Samy Kamkar, a security researcher and former hacker who once created a malicious computer program that crashed MySpace. "It's much easier for any kid with a computer to download software, point it at a company's website and attempt to run various attacks."

A hacker group called LulzSec has taken credit for recent attacks on the websites of the U.S. Senate, CIA, and several video game companies.

The group uses Twitter to publicize its exploits and has earned hundreds of thousands of followers.

In Internet lingo, the word "lulz" means laughs had at the expense of others – and is the group's self-proclaimed raison d'être.

"Vigilantes? Nope. Cyber terrorists? Nope," the group tweeted recently. "We have no political motives — we do it for the lulz."